Every now and then a would-be criminal online picks the wrong potential victim. I was recently selling a 1995 Ford Escort on the site Craigslist.com and had a number of interested buyers. One such candidate offered a $500 IOU plus a six-month supply of tile grout. Luckily, he never showed up. Another potential buyer, by the name of Amanda Q. McCombs, wrote:


I want to buy it, where are you exactly located? any damage any rust?
AMANDA Q MCCOMBS
SENT FROM MY IPHONE at 12:22:13

I wrote back:


hi amanda,
there is no rust. typical wear for a 95 car. and the damage is only those things i listed in the advertisement. The biggest thing is the transmission and 2nd gear slippage. it is not noticeable if driven easy. i am located off of **th street in redmond. thanks for your interest!

Amanda responded:

Response with hyperlink from "Amanda"


Clicking on the link in the message led me to a page resembling an account login for Craigslist:

If you look closely at the URL, it has nothing at all to do with Craigslist:


This was a spear phishing attack, and I would have been a victim had I entered my user name and password. Though this attempt would not have fooled most Internet-savvy people, it would have fooled my mom. Here is a link that more fully describes this type of attack:

http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx

And what exactly could Amanda have done with my Craigslist account? She could view all my postings (information disclosure). She could hijack my account by changing the password. She could silently monitor all my future activities and perhaps find out what area I live in, what types of belongings I have, and what services I provide or want to buy. If I post to the personals, she could know what types of people I am interested in dating or activities I would like to pursue. This information could be leveraged for an even more targeted spear-phishing attack.

Amanda could, in addition, start trying to break into my email account; if I used the same password for both accounts, this would be easy. So compromising my Craigslist account could be an important starting point for a more thorough theft of my identity.

In this failed attack, there were a few pieces of information I had about Amanda: her "from" email address (ending in @live.com), her "reply-to" email address (ending in @insightbb.com), and the phishing website to which she was trying to lead me to (hosted on cralgsIist.com).

If something similar happens to you, you can take the following action (as I did):

  1. Report the Windows Live account used in this attack to abuse@live.com.
  2. Look up whose domain the "reply-to" address leads to, and report the attack to them. In this case, I found out that the domain insightbb.com is used by a broadband ISP out of Louisville, KY. I contacted their security department and notified them that the email address she used in her "reply-to" field was involved in attacks against Craigslist users.
  3. Look up the domain used in the phishing URL, and report the abuse to the owner. In this case, I looked up the cralgsIist domain and saw that it was registered to Fiona Petrie in Great Britain, by Tucows Inc. I then alerted Tucows about the malicious nature of this site.
  4. File a complaint with the Internet Crime Complaint Center (www.ic3.gov), giving all the details of the attack.
  5. File another complaint with the National Consumers League's Fraud Center (www.fraud.org).
  6. Notify Craigslist of the incident.

At this point, I received acknowledgements from the above agencies/companies regarding my complaints.

Criminals can phish with near-impunity -- one of the reasons these types of attacks are prevalent. Follow some basic safety precautions to help prevent your credentials from being given to untrustworthy parties:

  • Verify the address you are visiting is indeed the intended address. For example, ensure you are not visiting cralgsIist.org thinking that it is craigslist.org.
  • Do not give out personal information just because an email asks you to, even if that email looks to be originating from a trusted source.
  • Report these types of attacks to the relevant abuse departments and complaints agencies.

Nikola Livic